================================================================= ==7590==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200033c9f8 at pc 0x7fee4f62258d bp 0x7fffb403e790 sp 0x7fffb403e780 READ of size 8 at 0x60200033c9f8 thread T0 #0 0x7fee4f62258c in uniqueness_entry_to_config /home/william/development/389ds/ds/ldap/servers/plugins/uiduniq/uid.c:368 #1 0x7fee4f6267a8 in uiduniq_start /home/william/development/389ds/ds/ldap/servers/plugins/uiduniq/uid.c:1413 #2 0x7fee5bd61e38 in plugin_call_func /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:2050 #3 0x7fee5bd61acc in plugin_call_one /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:1999 #4 0x7fee5bd608f2 in plugin_dependency_startall /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:1783 #5 0x7fee5bd61a5b in plugin_startall /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:1971 #6 0x442d21 in main /home/william/development/389ds/ds/ldap/servers/slapd/main.c:1086 #7 0x7fee58b70420 in __libc_start_main (/lib64/libc.so.6+0x20420) #8 0x40fe59 in _start (/opt/dirsrv/sbin/ns-slapd+0x40fe59) 0x60200033c9f8 is located 0 bytes to the right of 8-byte region [0x60200033c9f0,0x60200033c9f8) allocated by thread T0 here: #0 0x7fee5c1dc0c0 in calloc (/lib64/libasan.so.3+0xc70c0) #1 0x7fee5bc7b9ca in slapi_ch_calloc /home/william/development/389ds/ds/ldap/servers/slapd/ch_malloc.c:188 #2 0x7fee4f621f4f in uniqueness_entry_to_config /home/william/development/389ds/ds/ldap/servers/plugins/uiduniq/uid.c:302 #3 0x7fee4f6267a8 in uiduniq_start /home/william/development/389ds/ds/ldap/servers/plugins/uiduniq/uid.c:1413 #4 0x7fee5bd61e38 in plugin_call_func /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:2050 #5 0x7fee5bd61acc in plugin_call_one /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:1999 #6 0x7fee5bd608f2 in plugin_dependency_startall /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:1783 #7 0x7fee5bd61a5b in plugin_startall /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:1971 #8 0x442d21 in main /home/william/development/389ds/ds/ldap/servers/slapd/main.c:1086 #9 0x7fee58b70420 in __libc_start_main (/lib64/libc.so.6+0x20420) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/william/development/389ds/ds/ldap/servers/plugins/uiduniq/uid.c:368 in uniqueness_entry_to_config Shadow bytes around the buggy address: 0x0c048005f8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c048005f8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c048005f900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c048005f910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c048005f920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c048005f930: fa fa fa fa fa fa 00 00 fa fa 03 fa fa fa 00[fa] 0x0c048005f940: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c048005f950: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd 0x0c048005f960: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c048005f970: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c048005f980: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==7590==ABORTING
ticket47823_test.py is able to trigger this also.
Agreed. tmp_config->attrs is not NULL terminated... It has to be one sizeof(char ) longer for it. :( {{{ diff --git a/ldap/servers/plugins/uiduniq/uid.c b/ldap/servers/plugins/uiduniq/uid.c index 5542ae4..e83c31d 100644 --- a/ldap/servers/plugins/uiduniq/uid.c +++ b/ldap/servers/plugins/uiduniq/uid.c @@ -299,7 +299,7 @@ uniqueness_entry_to_config(Slapi_PBlock pb, Slapi_Entry *config_entry) }
/* Store attrName in the config */
/* There is no subtrees */
}}}
attachment 0001-Ticket-48986-47808-triggers-overflow-in-uiduniq.c.patch
commit ffda694 Compressing objects: 100% (13/13), done. Writing objects: 100% (13/13), 1.90 KiB | 0 bytes/s, done. Total 13 (delta 9), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 04a9c89..31c0425 master -> master
Apparently this got a CVE attached to it .... http://www.openwall.com/lists/oss-security/2017/01/18/5
I want to describe the flaw in this CVE analysis. The CVE request states:
{{{ A attacker, authenticated, but possibly also unauthenticated, could possibly force the plugin to read beyond allocated memory and trigger a segfault. }}}
This is incorrect. Only an authenticated user, with write access to cn=config, specifically the uiduniq plugin configuration can trigger this. In a default install this is only directory manager. If you are directory manager, you can do so many other things, there is no need to trigger an exploit.
This is why I deemed this a stability issue, not a security issue.
Users who are anonymous or bound from a backend do not have access to trigger this.
Metadata Update from @firstyear: - Issue assigned to firstyear - Issue set to the milestone: 1.3.6 backlog
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/2045
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Log in to comment on this ticket.